postgres/contrib/pg_tde/documentation/docs/global-key-provider-configu.../set-principal-key.md

# Global Principal Key Configuration

You can configure a default principal key using a global key provider. This key will be used by all databases that do not have their own encryption keys configured. The function **both** sets the principal key and rotates internal keys as needed.

## Create a default principal key

To create a global principal key, run:

```sql
SELECT pg_tde_create_key_using_global_key_provider(
    'key-name',
    'global_vault_provider'
);
```

## Configure a default principal key

To configure a global principal key, run:

```sql
SELECT pg_tde_set_default_key_using_global_key_provider(
    'key-name',
    'global_vault_provider'
);
```

## Parameter description

* `key-name` is the name under which the principal key is stored in the provider.
* `global_vault_provider` is the name of the global key provider you previously configured.

## How key generation works

The key material (actual cryptographic key) is auto-generated by `pg_tde` and stored securely by the configured provider.

!!! note
    This process sets the **default principal key for the entire server**. Any database without a key explicitly configured will fall back to this key.

## Example

This example is for testing purposes only. Replace the key name and provider name with your values:

```sql
SELECT pg_tde_create_key_using_global_key_provider(
    'test-db-master-key',
    'file-vault'
);

SELECT pg_tde_set_key_using_global_key_provider(
    'test-db-master-key',
    'file-vault'
);
```

## Next steps

[Validate Encryption with pg_tde :material-arrow-right:](../test.md){.md-button}
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago			`# Global Principal Key Configuration`

Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago			`You can configure a default principal key using a global key provider. This key will be used by all databases that do not have their own encryption keys configured. The function both sets the principal key and rotates internal keys as needed.`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago
			`## Create a default principal key`

Re-apply set key changes: revert of revert commit (#461) reverted the revert for set key changes for architecture, functions, set principal key and multi-tenant-setup.md 3 months ago			`To create a global principal key, run:`

			```sql
			`SELECT pg_tde_create_key_using_global_key_provider(`
			`'key-name',`
			`'global_vault_provider'`
			`);`
			```

			`## Configure a default principal key`

Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago			`To configure a global principal key, run:`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago
			```sql
DOCS-KMIP-updates (#337) initial commit, fixes to code presentation - Updates to kmip with fixes to how we present code (website looks better now!) - Updates set-principal-key with similar fixes - Updated keyring.md with similar fixes And updated functions for two parameters with updates from 1506 4 months ago			`SELECT pg_tde_set_default_key_using_global_key_provider(`
Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago			`'key-name',`
Re-apply set key changes: revert of revert commit (#461) reverted the revert for set key changes for architecture, functions, set principal key and multi-tenant-setup.md 3 months ago			`'global_vault_provider'`
DOCS-KMIP-updates (#337) initial commit, fixes to code presentation - Updates to kmip with fixes to how we present code (website looks better now!) - Updates set-principal-key with similar fixes - Updated keyring.md with similar fixes And updated functions for two parameters with updates from 1506 4 months ago			`);`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago			```

			`## Parameter description`

Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago			* `key-name` is the name under which the principal key is stored in the provider.
			* `global_vault_provider` is the name of the global key provider you previously configured.

			`## How key generation works`

Re-apply set key changes: revert of revert commit (#461) reverted the revert for set key changes for architecture, functions, set principal key and multi-tenant-setup.md 3 months ago			The key material (actual cryptographic key) is auto-generated by `pg_tde` and stored securely by the configured provider.
Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago
			`!!! note`
Updated principal-key/features/functions.md based on AA feedback (#441) In set-principal-key.md: * updated with correct code example using set_server_key_using_global parameter * updated note to reflect correct config In features.md: * Removed temporary tables feature to clear confusion, removed logical replication mention, removed WAL encryption as a feature. In functions.md: * Added ON FUNCTION for grant/revoke execution * Modified sensitive info bolded paragraph to important note * Small modifications to notes display, title cases and text fixes * added note to Add or modify Vault providers for keeping the same principal key. * Added warning for WAL in pg_tde_create_key_using_global_key_provider In general: * Removed all logical replication mentions except the FAQ and in RC2 release note. 3 months ago			`This process sets the default principal key for the entire server. Any database without a key explicitly configured will fall back to this key.`
Updating pg_tde_set_default_key_using_global_key_provider parameter (#351) Updates to # Global Principal Key Configuration parameter of setting global key Rewrote and added correct falste/true parameters for ensure_new_key on set_default_key. --------- Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> 4 months ago
			`## Example`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago
			`This example is for testing purposes only. Replace the key name and provider name with your values:`

			```sql
Re-apply set key changes: revert of revert commit (#461) reverted the revert for set key changes for architecture, functions, set principal key and multi-tenant-setup.md 3 months ago			`SELECT pg_tde_create_key_using_global_key_provider(`
			`'test-db-master-key',`
			`'file-vault'`
			`);`

			`SELECT pg_tde_set_key_using_global_key_provider(`
			`'test-db-master-key',`
			`'file-vault'`
DOCS-KMIP-updates (#337) initial commit, fixes to code presentation - Updates to kmip with fixes to how we present code (website looks better now!) - Updates set-principal-key with similar fixes - Updated keyring.md with similar fixes And updated functions for two parameters with updates from 1506 4 months ago			`);`
Tde documentation updates for ga (#251) Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward. Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text. Integrated changes from: - https://github.com/percona/postgres/pull/314 - https://github.com/percona/postgres/pull/306 - Commit f636e82 4 months ago			```

			`## Next steps`

			`[Validate Encryption with pg_tde :material-arrow-right:](../test.md){.md-button}`